CVE-2026-29145 Overview
A CLIENT_CERT authentication bypass vulnerability has been identified in Apache Tomcat and Apache Tomcat Native. When soft fail is disabled, CLIENT_CERT authentication does not fail as expected in certain scenarios, potentially allowing unauthorized access to protected resources. This authentication bypass could enable attackers to circumvent client certificate validation mechanisms that are designed to ensure secure access to Tomcat-hosted applications.
Critical Impact
Organizations relying on CLIENT_CERT authentication with soft fail disabled may be vulnerable to authentication bypass, potentially exposing sensitive applications and data to unauthorized users.
Affected Products
- Apache Tomcat versions 11.0.0-M1 through 11.0.18
- Apache Tomcat versions 10.1.0-M7 through 10.1.52
- Apache Tomcat versions 9.0.83 through 9.0.115
- Apache Tomcat Native versions 1.1.23 through 1.1.34
- Apache Tomcat Native versions 1.2.0 through 1.2.39
- Apache Tomcat Native versions 1.3.0 through 1.3.6
- Apache Tomcat Native versions 2.0.0 through 2.0.13
Discovery Timeline
- April 9, 2026 - CVE-2026-29145 published to NVD
- April 9, 2026 - Last updated in NVD database
Technical Details for CVE-2026-29145
Vulnerability Analysis
The vulnerability exists within the CLIENT_CERT authentication mechanism in Apache Tomcat and Tomcat Native. CLIENT_CERT authentication is a mutual TLS (mTLS) authentication method where clients present X.509 certificates to prove their identity. When properly configured with soft fail disabled, the server should reject connections when client certificate validation fails.
However, due to this flaw, certain validation scenarios do not trigger the expected authentication failure when soft fail is disabled. This creates a gap in the security model where attackers may successfully authenticate without providing valid client certificates, bypassing a critical security control.
The issue spans multiple major version branches of both Apache Tomcat (9.x, 10.x, and 11.x) and Apache Tomcat Native (1.x and 2.x), indicating a fundamental flaw in the authentication logic that has persisted across several releases.
Root Cause
The root cause lies in the improper handling of certain edge cases during client certificate validation when soft fail mode is explicitly disabled. The authentication logic fails to properly enforce certificate validation requirements in specific scenarios, allowing authentication to succeed when it should fail.
Attack Vector
An attacker could exploit this vulnerability by attempting to authenticate to a Tomcat server configured with CLIENT_CERT authentication and soft fail disabled. By crafting requests that trigger the flawed validation path, the attacker may bypass certificate validation requirements and gain unauthorized access to protected resources.
The attack requires network access to the target Tomcat server and knowledge that the server is configured to use CLIENT_CERT authentication. No prior authentication is required, as the vulnerability exists within the authentication mechanism itself.
Detection Methods for CVE-2026-29145
Indicators of Compromise
- Unusual successful authentication events from clients without valid certificates
- Authentication log entries showing inconsistent certificate validation results
- Access to protected resources by unexpected or unknown client identities
- Discrepancies between TLS handshake logs and application authentication logs
Detection Strategies
- Monitor Tomcat access logs for authentication anomalies when CLIENT_CERT is configured
- Implement audit logging for all certificate-based authentication attempts
- Compare expected client certificate fingerprints against actual authenticated sessions
- Deploy network monitoring to detect connections that bypass expected mTLS requirements
Monitoring Recommendations
- Enable verbose logging for the Tomcat authentication subsystem
- Configure alerts for authentication events that lack corresponding valid certificate validation
- Implement periodic review of authenticated sessions against known valid client certificates
- Monitor for access patterns inconsistent with legitimate certificate-authenticated clients
How to Mitigate CVE-2026-29145
Immediate Actions Required
- Identify all Apache Tomcat and Tomcat Native installations using CLIENT_CERT authentication
- Verify current versions against the affected version ranges listed above
- Plan immediate upgrades to patched versions for production systems
- Review access logs for potential exploitation during the vulnerability window
Patch Information
Apache has released patched versions that address this vulnerability. Users are recommended to upgrade to:
- Apache Tomcat: 11.0.20, 10.1.53, or 9.0.116
- Apache Tomcat Native: 1.3.7 or 2.0.14
For additional details, refer to the Apache Mailing List Thread regarding this vulnerability.
Workarounds
- Consider temporarily disabling CLIENT_CERT authentication in favor of alternative authentication mechanisms until patches can be applied
- Implement additional network-level access controls to limit exposure of affected Tomcat instances
- Deploy web application firewall (WAF) rules to enforce stricter certificate validation at the network edge
- If CLIENT_CERT must remain enabled, implement additional application-level authorization checks to validate client identity
# Example: Verify current Tomcat version
catalina.sh version
# Example: Verify Tomcat Native library version
# Check the Tomcat startup logs for native library version information
grep -i "APR capabilities" /var/log/tomcat/catalina.out
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
